Method and system using admission control in interactive grid computing systems

ABSTRACT

In brief, the invention provides a method and system for admission control in a grid computing environment. When a user request for a global session is received from a submission node, applications to be launched through the global session are identified, and resource requirements are determined. A execution node is then allocated, and the global session is established between the execution node and the submission node. A user then requests an application session through the established global session, and the application session is established with the execution node.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority to U.S. Provisional Patent ApplicationNo. 60/480,197, entitled “HIERARCHICAL ADMISSION CONTROL IN INTERACTIVEGRID COMPUTING SYSTEMS”, filed on Jun. 20, 2003 and commonly assignedherewith.

FIELD OF THE INVENTION

The present invention relates generally to computer systems, and morespecifically, to interactive grid computing systems using admissioncontrol.

BACKGROUND OF THE INVENTION

Grid computing is a form of computer networking. Whereas conventionalcomputer networks focus on communication between devices, grid computingtypically harnesses the processing power of multiple computers within anetwork, and can thus be used for solving problems which are toointensive for any stand-alone machine. Grid computing also involves thesharing of computer resources. A single computer user whose normalrequirements for computer processing power are fairly minor mayoccasionally have more substantial needs, and the existence of acomputer grid enables the user to “borrow” external computer resourcesfor a period of time.

Grid computing has typically been applied to scientific or technicalproblems that require a large number of computer processing cycles oraccess to large amounts of data. An example of a grid computing projectis the SETI @Home project, in which computer users connected to theInternet donate the unused processing power of their computers toprocess data associated with signals coming from outer space, therebyaiding in the search for signs of extraterrestrial life. In a typicalgrid computing application, a large problem is divided and farmed out toa large number of computers, before the results are returned andcollated. Grid computing can be confined to the network of computerworkstations within a corporation or it can be a public collaboration.

Whereas the Internet enables the exchange of information, grid computingenables the exchange of computer power, data storage, and access tolarge databases, without users having to search for these resourcesmanually. However, existing systems and methods, have not fullyaddressed the issues relating to grid computing. Current unresolvedissues include the inability to conduct interactive sessions on a gridcomputing network, as well as the designation of appropriate methods forcontrolling and managing the allocation of resources. Additionally, theprevention of access to resources by users who have malicious intent aswell as the optimization of the use of resources by matching a user'srequirements efficiently with available resources are desirable.

SUMMARY OF THE INVENTION

In brief, the invention provides a method and system for admissioncontrol in a grid computing environment. When a user request for aglobal session is received from a submission node, applications to belaunched through the global session are identified, and resourcerequirements are determined. A execution node is then allocated, and theglobal session is established between the execution node and thesubmission node. A user then requests an application session through theestablished global session, and the application session is establishedwith the execution node.

It is to be understood that other aspects of the present invention willbecome readily apparent to those skilled in the art from the followingdetailed description where, simply by way of illustration, exampleembodiments of the invention are shown and described. As will berealized, the invention is capable of other and different embodiments,and its several details are capable of modifications in variousrespects, all without departing from the invention. Accordingly, thedrawings and description are to be regarded as illustrative in natureand not as restrictive.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a high-level object diagram of an operating environment of agrid computing system, in accordance with an embodiment of the presentinvention.

FIG. 2 is a flow diagram of an interactive session generation process,in accordance with an embodiment of the present invention.

FIG. 3 is a detailed process diagram of a global admission controlmodule, in accordance with an embodiment of the present invention.

FIG. 4 is an example application profile for global admission control,in accordance with an embodiment of the present invention.

FIG. 5 is a flow diagram of an example global admission control process,in accordance with an embodiment of the present invention.

FIG. 6 is a detailed process diagram of a session admission controlmodule, in accordance with an embodiment of the present invention.

FIG. 7 is a flow diagram of an example admission control decisionprocess, in accordance with an embodiment of the present invention.

FIG. 8 is a block diagram of an example architecture for a generalpurpose computer, in accordance with an embodiment of the presentinvention.

DETAILED DESCRIPTION

The system of the present invention includes, in one embodiment, adistributed resource management node including a grid scheduler and aglobal admission control module, and one or more execution nodes. Inspecific embodiments, the grid computing system may provide coarse grainadmission control for global, graphical interactive sessions in a gridcomputing system, fine grain admission control for per-application,graphical interactive sessions in a grid computing system, support forquality of service for graphics applications in a grid computing system,support for global session service level agreements (SLA) in a gridcomputing system, and hierarchical sessions. Embodiments of the presentinvention may also enable graphical interactive sessions in a gridcomputing system, enable grid-users to interactively launch applicationsdirectly on the execution node as part of a global session, supportimproved and guaranteed performance for global interactive sessions,support scalability through a distributed admission control design, andhelp improve the effectiveness of providing quality of serviceguarantees for graphical sessions.

Referring to FIG. 1, a high-level object diagram of an operatingenvironment of the grid computing system is shown. The grid computingsystem includes a distributed resource management (DRM) node 110, thesubmission node 112, and execution node 114. The system may include oneor a plurality of submission nodes. Similarly, the system may includeone or a plurality of execution nodes. The DRM node 110 includes a gridscheduler 116, policies 118, an application profiles repository 120, aninformation service 122, and a global admission control module 124. Theinformation service 122 stores the information about the resources inthe system. The application profiles repository 120 contains theapplication profiles in the system.

The distributed resource management framework is distributed across thesubmission node 112, the execution node 114, and the DRM node 110. Theexecution node 114 includes a session admission control module 126. Theuser submits a request for a new global interactive session through thesubmission node 112. Along with the request for a new global interactivesession, the user also submits the set of applications desired to belaunched through the global interactive session. The request for aglobal interactive session is scheduled onto an execution node 114 inthe grid computing system by the grid scheduler 116. A globalinteractive session is then established between the selected executionnode and the end-users' submission node. The end-user submits requestsfor per-application interactive sessions through this global interactivesession.

Given hierarchical sessions in the grid computing system, the notion ofhierarchical admission control is introduced. At the lowest level,admission control modules are at each execution node 114. The admissioncontrol module at the execution node 114 is referred to as the sessionadmission control module 126, and it is responsible for making admissioncontrol decisions for per-application sessions. At the next level, anadmission control module at the DRM node 110 is referred to as theglobal admission control module 124. The global admission control module124 is responsible for admission control decisions for global sessions.The grid scheduler 116 interfaces with the global admission controlmodule 124. If the DRM node 110 includes hierarchical scheduling nodes,the system would include hierarchical admission control modulescorresponding to each such scheduling node.

The application domain may be extended to include graphical, interactivesessions to remote execution node. The end-user submits job requeststhrough the submission node 112 and is given access to the remoteexecution node for graphical, interactive use. The end-user in theinteractive grid computing system creates a global session to the remoteexecution node during which it can launch multiple application sessions.

In one embodiment, such a global session may be provided by exportingthe desktop environment of the remote resource for a certain period oftime. Through such a desktop environment, the user can then launchmultiple applications and interact with them. These operations may bedone through a command line shell, through icons on the desktop, or anyother suitable execution process. More specifically, thisabove-described situation includes hierarchical interactive sessions; aglobal interactive session through the desktop environment; andper-application interactive sessions within global sessions. These termsare defined in more detail as follows:

-   -   (1) global interactive session—a global interactive session        constitutes the association between the end-user and the remote        execution node wherein the end-user interacts with the remote        execution node to launch one or more applications and        subsequently interacts with the launched applications through        the per-application sessions. One example of a global        interactive session is the virtual network computing (VNC)        remote display session wherein the graphical desktop of the        remote node is exported. Preferably, the global interactive        sessions are graphical, but they may also occur with text only        applications or any other desired interface; and    -   (2) per-application interactive session—a per-application        interactive session for an application executing on the remote        execution node is the association between the end-user and the        executing application wherein the end-user interacts directly        with the application. A per-application interactive session        occurs in the context of a global interactive session.        Preferably, the per-application interactive sessions are        graphical, but they may also occur with text only applications        or any other desired interface.

The end-user submits requests for interactive sessions to the DRM node110. The DRM node 110 then matches the user's requirements, based on thesubmitted interactive session requests, with the available resources,and then allocates an execution node 114 for interactive use. Theend-user then interactively launches applications directly on theexecution node 114 and interacts with the launched applications. Theinteraction is controlled through a controlled shell, controlleddesktop, and/or management agents. The controlled shell, desktop, andmanagement agents are driven through the authorization policies 118,which, in one embodiment, are access control lists. The authorizationpolicies 118 specify the allowed list of executables, files, networkinterfaces, and IP addresses for the particular global session. Theinteractive session is also subject to the SLAs. The SLAs specify, amongany other desired information, the CPU and network bandwidthrequirements for the session. The authorization policies 118 and theSLAs for a session as may be referred to as contracts.

FIG. 2 is a flow diagram of an interactive session generation process.After the global interactive session is then established between theselected execution node and the end-users' submission node, the end-usersubmits requests for per-application interactive sessions through thisparticular global interactive session. In step 200, the end-user createsa job request template for a new global interactive session, specifyingthe resource requirements, session requirements, and the desired list ofapplications to be launched during the session. This request issubmitted to the DRM node. At step 210, the request is received by thegrid scheduler running on the DRM node.

At step 211, in the first pass, the grid scheduler performs a matchingof resources in the grid to satisfy the coarse requirements of the user,for example, matching of the hardware requirements of the user. At step212, in the next pass, the grid scheduler selects the best executionnode that can admit the requested global interactive session satisfyingthe quality of service requirements for the desired list of applicationsto be launched during the global session. During this step, the gridscheduler interfaces with the global admission control system, whichperforms the admission check for the requested global interactivesession.

At step 214, a reservation is made on the selected execution node forthe requested global interactive session. The reservation is also madefor fine grained resources such as CPU performance, network bandwidth,etc.

At step 216, at the requested time, the selected execution node isallocated to the end-user, and the request for the new globalinteractive session is dispatched to the execution node along with theSLA for the session. At step 218, a configuration process configures thesystem before launching the global interactive session. Theconfiguration may also involve the creation of a dynamic account by adynamic account manager.

At step 219, a global interactive session is then initiated between theallocated execution node and the end-users' submission node. At step220, the end-user requests new per-application interactive sessionsdirectly through the started global interactive session. At step 222,the requests for per-application interactive sessions are verified foraccess control checks, and if successful is passed onto the sessionadmission control system on the execution node. At step 224, the sessionadmission control system performs an admission control check todetermine if the requested per-application session can be admitted intothe global interactive session. If not, in step 225, the request for newper-application session is denied. Else, the per-application session isstarted and monitored at step 226.

During the per-application session, the resource management monitoringagents monitor the global interactive session and per-applicationsession utilization values. The monitored data is aggregated byaggregator agents. Enforcement agents may use this data to enforce theSLA and quality of service requirements. An application predictor systemuses the aggregated data to predict the application behavior. At step228, the enforcement agents end the global interactive session at thetime specified in the SLA. The execution node is freed up to execute anew global interactive session if scheduled by the grid scheduler. Theterms ‘global session’ and ‘global interactive session’ are usedinterchangeably, as are the terms ‘per-application session’ and‘per-application interactive session’.

Referring now to FIG. 3, a detailed process diagram of the globaladmission control module 124 is shown. The global admission controlmodule 124 is responsible for determining if a resource can admit a newglobal interactive session. The grid scheduler 116 (shown in FIG. 1)interfaces with the global admission control module 124 to perform anadmission control check for the requested global interactive session.The inputs to the global admission control module 124 are a job request305 from the user, one or more application profiles 120, anidentification of the execution node 310 being considered, theinformation service 122, and the authorization policies 118.

The job request 305 from the user is the information provided by theuser containing the list of applications desired to be executed duringthe global interactive session. For example, the user specifies that itdesires to execute Application 1, Application 2, and Application 3. Theapplication profiles 120 contain the estimated CPU and bandwidthrequired for various classes of applications to meet their acceptableperformance levels, or quality of service requirements, while runningremotely in the interactive grid computing system. Example classes ofapplications are engineering applications, visualization applications,video games, and the like. Such application profiles may be determinedby a system administrator, and refined by an application predictorsystem.

The identification of the execution node 310 being considered is anidentification of the execution node being considered for hosting theglobal interactive session. The admission control decision 300 is beingmade for this execution node 310. The information service 122 is aglobal repository containing information of all the resources in theinteractive grid computing system. This information may be dynamicallyupdated by daemons/agents running on each resource. For example, theinformation service 122 contains information about the current resourceutilization value for a given execution node.

FIG. 4 is an example application profile 400 for global admissioncontrol. An application profile 400 of the type illustrated, forexample, in FIG. 4 may be used as input for a global admission controlprocess.

FIG. 5 is a flow diagram of an example global admission control process,in accordance with an embodiment of the present invention. In step 500,the system determines the estimated amount of CPU and network bandwidthfor the requested session. This determination may be made using a jobrequest template provided by the user wherein the user specifies a listof applications for execution. For this determination, for each of thelisted applications, the system determines the class of applicationsthat the requested application belongs to, obtains the CPU and bandwidthusage for each application from the application profiles, and thenestimates the total CPU and network bandwidth for all the listedapplications, using the values from the application profiles. Thisestimation may be done using an order of execution of the applicationsand may also be based on the policies.

In step 502, the system determines which policies are used for executingthe desired type of applications and with the desired resourceutilization level on the considered execution node. These policies maybe predefined by the system administrator. In step 504, the systemdetermines if there is a violation for any of the policies. If there isa policy violation, then the system returns “deny” and exits the processat step 506. If there is no policy violation, then the system uses theresource utilization values from the information service to estimate theavailable CPU and network bandwidth levels for the global interactivesession at the requested time at step 508. In step 510, the systemconsults the scheduler for the reservations that have been scheduled forthe requested time. In step 512, the system compares the neededresources to the available resources, comparing the values obtained fromstep 508 to the values obtained from step 500. In step 514, the systemmakes an admission control decision based on the comparison in step 512.

Referring now to FIG. 6, a detailed process diagram of the sessionadmission control module 600 is shown. The session admission control(SAC) module 600 is responsible for determining if the globalinteractive session can admit a new per-application session. The sessionadmission control module 600 receives a plurality of inputs. Therequested application 602, which is a graphics application, or othertype of application, which the user is requesting to be launched in theconsidered global interactive session, is input to the SAC module 600.In one embodiment, the user request is provided through a shell.

Application profiles 604 are input to the SAC 600. Each resource mayhave a copy of the application profiles for the applications installedon that resource. Data from monitoring agents 606 is input to the SACmodule 600. In one embodiment, the data from the monitoring agents 606is resource usage data for the global session. The service levelagreement (SLA) 608 for the global interactive session in progress isinput to the SAC module 600. In one embodiment, the SLA 608 isdetermined prior to the start of the session. The session policies 610in place for the session are also input to the SAC module 600.

Given these inputs, the session admission control module 600 checks foravailability of resources in compliance with the SLAs 608 beforestarting the requested application session. In one embodiment, the SACmodule checks the following global session parameters:

-   -   (a) Number of processes launched during a session;    -   (b) Usage time for a session;    -   (c) Disk quota usage for a session;    -   (d) CPU utilization percentage for a session; and    -   (e) Network bandwidth utilization percentage for a session.

The limiting values for these global session parameters may be specifiedin the SLA 608 for the global interactive session being considered. TheSAC module 600 compares the current values of these global sessionparameters with the limiting values agreed upon in the SLA 608 for theconsidered global interactive session. If there is a violation, or if aviolation would occur upon executing the application, the SAC module 600outputs a ‘deny’ decision for executing the application. Otherwise, theSAC module makes outputs an ‘allow’ decision for executing theapplication.

The SAC module 600 could be extended to support other session parametersas desired for a particular implementation. The illustrated frameworkfor the SAC module 600 is only one example of a SAC module in accordancewith the present invention. The parameters and inputs are illustrativeof those necessary for the grid computing system environment forgraphical, interactive sessions. However, other parameters and/or inputsmay be selected and/or removed depending on the desired use.

FIG. 7 is a flow diagram of an example admission control decisionprocess. The below described example process uses the CPU and networkbandwidth utilization parameters for a session. In step 700, the systemdetermines the class of applications that the requested applicationbelongs to. In step 702, the system obtains the CPU and networkbandwidth usage needed for this application from the applicationprofiles. In step 704, the system obtains the current CPU and networkbandwidth utilization values for the global session being consideredusing data gathered by monitoring agents. In step 706, the systemobtains the CPU and network bandwidth reservation values made for theglobal session from the SLA.

In step 708, the system determines the needed CPU and network bandwidthavailability needed for compliance with the SLA. This determination maybe made by comparing the value obtained from step 704 to the valueobtained from step 706. In step 710, the system compares the value fromstep 702 to the value from 708 to determine if the requested applicationwould violate the SLA. In step 712, the system determines whetherexecution would violate the SLA. If execution would violate the SLA,then the system returns “deny” and exits the process at step 714. Ifexecution would not violate the SLA, then the system returns “allow” atstep 716.

FIG. 8 is a block diagram of an example architecture for a generalpurpose computer suitable for performing the functions of the gridcomputing system and associated applications. The illustrated generalpurpose computer may also be suitable for running other networkapplications. A microprocessor 800, including of a central processingunit (CPU) 805, a memory cache 810, and a bus interface 815, isoperatively coupled via a system bus 880 to a main memory 820 and anInput/Output (I/O) control unit 875. The I/O interface control unit 875is operatively coupled via an I/O local bus 870 to a disk storagecontroller 845, video controller 850, a keyboard controller 855, anetwork controller 860, and I/O expansion slots 865.

The disk storage controller 845 is operatively coupled to the diskstorage device 825. The video controller is operatively coupled to thevideo monitor 830. The keyboard controller 855 is operatively coupled tothe keyboard 835. The network controller 860 is operatively coupled tothe communications device 840. The communications device 840 is adaptedto allow the network inventory adapter operating on the general purposecomputer to communicate with a communications network, such as theInternet, a Local Area Network (LAN), a Wide Area Network (WAN), avirtual private network, or a middleware bus, or with other softwareobjects over the communications network.

Computer program instructions for implementing the grid computing systemmay be stored on the disk storage device 825 until the processor 800retrieves the computer program instructions, either in full or in part,and stores them in the main memory 820. The processor 800 then executesthe computer program instructions stored in the main memory 820 toimplement the features of grid computing system. The programinstructions may be executed with a multiprocessor computer having morethan one processor.

The general purpose computer illustrated in FIG. 8 is an example of aone device suitable for performing the various functions of the gridcomputing system. The grid computing system, and any other associatedprograms, applications, components, and operations, may also run on aplurality of computers, a network server, or other suitable computersand devices.

The previous description of the example embodiments is provided toenable any person skilled in the art to make or use the presentinvention. While the invention has been described with respect toparticular illustrated embodiments, various modifications to theseembodiments will readily be apparent to those skilled in the art, andthe generic principles defined herein may be applied to otherembodiments without departing from the spirit or scope of the invention.It is therefore desired that the present embodiments be considered inall respects as illustrative and not restrictive. Accordingly, thepresent invention is not intended to be limited to the embodimentsdescribed above but is to be accorded the widest scope consistent withthe principles and novel features disclosed herein.

What is claimed is:
 1. A method of admission control for admittingglobal and application session requests in a grid computing system, themethod comprising: receiving a user request for a global session from auser at a submission node, wherein the submission node includes acomputing system local to the user; receiving from the user a list ofapplications to be launched through the global session; identifying theapplications as a set of allowed applications by consultingauthorization policies specifying a list of allowed applications;determining resource requirements for the identified applications;allocating an execution node satisfying the resource requirements,wherein the allocated execution node includes a computing system remotefrom the user; establishing the global session between the allocatedexecution node and the submission node, wherein the global sessioncreates a network connection between the submission node and theallocated execution node allowing the submission node to utilizeresources associated with the allocated execution node; receiving a userrequest for an application session through the established globalsession; and establishing the application session with the allocatedexecution node, wherein the application session allows the user tointeract directly with one or more applications running on the executionnode.
 2. A method of admission control in a grid computing systemaccording to claim 1, further comprising receiving at a node formanaging the allocated execution node the user request for a globalsession, determining by the node for managing the allocated executionnode whether to allow an establishment of the global session, receivingat the allocated execution node the user request for an applicationsession, and determining by the allocated execution node whether toallow an establishment of the application session.
 3. A method ofadmission control in a grid computing system according to claim 1,wherein the step of determining resource requirements includesconsulting an application profile, the application profile including anidentification of resource requirements for an application, includingprocessor requirements and network bandwidth requirements.
 4. A methodof admission control in a grid computing system according to claim 1,wherein the application session is a graphical interactive sessioncreated by exporting the desktop environment of the execution node tothe submission node.
 5. A method of admission control in a gridcomputing system according to claim 1, wherein multiple applicationsessions are launched in the global session.
 6. A method of admissioncontrol in a grid computing system according to claim 1, wherein userinteraction is controlled through one or more management agents, the oneor more management agents being driven by authorization policies.
 7. Amethod of admission control in a grid computing system according toclaim 1, further comprising: generating a first admission controldecision, the first admission control decision regarding the admissionof the global session to the execution node; and generating a secondadmission control decision, the second admission control decisionregarding the admission of the application session to the executionnode.
 8. A system for admission control for admitting global andapplication session requests in a grid computing environment, the systemincluding one or more processors, one or more memories coupled to theone or more processors, and program instructions stored in the one ormore memories, the one or more processors being operable to execute theprogram instructions, the program instructions comprising instructionsfor: receiving at a node for managing execution nodes a user request fora global session from a user at a submission node, wherein thesubmission node includes a computing system local to the user;identifying applications to be launched through the global session,wherein identifying applications includes identifying applications as aset of allowed applications by consulting authorization policiesspecifying a list of allowed applications after receiving from the usera list of the identified applications; determining resource requirementsfor the requested global session; determining by the node for managingthe execution nodes whether to allow an establishment of the globalsession; allocating an execution node satisfying the resourcerequirements, wherein the allocated execution node includes a computingsystem remote from the user; establishing the global session between theallocated execution node and the submission node, wherein the globalsession creates a network connection between the submission node and theallocated execution node allowing the submission node to utilizeresources associated with the allocated execution node; receiving at theallocated execution node a user request for an application session;determining by the allocated execution node whether to allow anestablishment of the application session; and establishing theapplication session with the allocated execution node, wherein theapplication session allows the user to interact directly with one ormore applications running on the allocated execution node.
 9. A systemfor admission control in a grid computing environment according to claim8, further comprising an applications profiles repository which providesinformation concerning resource requirements for individualapplications.
 10. A system for admission control in a grid computingenvironment according to claim 8, further comprising a grid schedulerwhich performs the step of allocating resources for the global session.11. A system for admission control in a grid computing environmentaccording to claim 8, further comprising one or more management agents,the one or more management agents being driven by authorizationpolicies.
 12. A system for admission control for admitting global andapplication session requests in a grid computing environment, the systemcomprising: a distributed resource management node, the distributedresource management node including a grid scheduler and a globaladmission control module, the grid scheduler configured to receive auser request for a global session from a user at a submission node andto match user requirements to available system resources and the globaladmission control module configured to determine whether to allow anestablishment of the global session, wherein the submission nodeincludes a computing system local to the user, wherein the distributedresource management node is configured to receive from the user a listof applications to be launched through the global session and identifythe list of applications as a set of allowed applications by consultingauthorization policies specifying a list of allowed applications; aplurality of execution nodes coupled to the distributed resourcemanagement node, wherein the plurality of execution nodes includecomputing systems remote from the user and the global admission controlmodule is configured to allocate one of the plurality of executionnodes; and a session admission control module within the allocatedexecution node, the session admission control module being configured todetermine whether to allow an establishment of an application session inresponse to a user request for the application session from thesubmission node, wherein the application session allows the user tointeract directly with one or more applications running on the allocatedexecution node.
 13. A computer program product for admission control foradmitting global and application session requests in a grid computingsystem, the computer program product including a non-transitory computerusable medium having computer readable code embodied in the computerusable medium, the computer readable code including instructions to:receive a user request for a global session from a user at a submissionnode, wherein the submission node includes a computing system local tothe user; identify applications to be launched through the globalsession, wherein to identify applications to be launched through theglobal session comprises identifying applications as a set of allowedapplications by consulting authorization policies specifying a list ofallowed applications after receiving from the user a list of theidentified applications; determine resource requirements for therequested global session; determine by a node for managing executionnodes whether to allow an establishment of the global session, whereinthe node for managing execution nodes includes a computing system remotefrom the user; allocate an execution node satisfying the resourcerequirements, wherein the allocated execution node includes a computingsystem remote from the user; establish the global session between thesubmission node and the allocated execution node, wherein the globalsession creates a network connection between the submission node and theallocated execution node allowing the submission node to utilizeresources associated with the allocated execution node; receive at theallocated execution node a user request for an application session;determine by the allocated execution node whether to allow anestablishment of the application session; and establish the applicationsession for the allocated execution node, wherein the applicationsession allows the user to interact directly with one or moreapplications running on the allocated execution node.
 14. A computerprogram product for admission control in a grid computing systemaccording to claim 13, wherein the step of identifying applications tobe launched through the global session includes consulting authorizationpolicies to identify applications and resources which the user isauthorized to use.
 15. A computer program product for admission controlin a grid computing system according to claim 13, wherein the step ofdetermining resource requirements includes consulting an applicationprofile, the application profile including an identification of resourcerequirements for an application, including processor requirements andnetwork bandwidth requirements.
 16. A computer program product foradmission control in a grid computing system according to claim 13,wherein the application session is a graphical interactive sessioncreated by exporting the desktop environment of the execution node tothe submission node.
 17. A computer program product for admissioncontrol in a grid computing system according to claim 13, whereinmultiple application sessions are launched in the global session.
 18. Acomputer program product for admission control in a grid computingsystem according to claim 13, wherein user interaction is controlledthrough one or more management agents, the one or more management agentsbeing driven by authorization policies.